The following is a list of policies and
procedures which have been deemed necessary for the best possible technology
security for the School of Architecture and the various students, faculty,
and staff which make up the Community. Where possible, source documents,
including federal and/or state legal precedents, have been cited and/or
linked.
Security Awareness:
Risk Assessment- Assessment
of outside risk and the School of Architecture’s
ability to respond to threats should occur at least once per calendar year.
This assessment should include, but not necessarily be limited to, ITC’s
Self-Assessment Checklist.
Ref: COV ITRM Guideline: http://www.vita.virginia.gov/docs/psg/ITSecurityPolicy90-1R3.doc
ITC Self-Assement Checklist: http://www.itc.virginia.edu/security/checklist/checklist_intro.html
User Awareness/Training- Users should be made aware through an orientation
process of existing risks and what they can do to prevent them. Users should
be briefed on the availability of software and other in-place security measures
and how to interact with and what to expect from those security systems and
procedures.
Ref: COV ITRM Guideline http://www.vita.virginia.gov/docs/psg/ITSecurityPolicy90-1R3.doc
Staff Technical Training- Staff should be trained and/or certified and
up-to-date in appropriate system administration and related skills.
All of the School’s
staff who make use of computing technologies, regardless of department, should
have a basic level of training. Technical staff will be certified and/or trained
to a higher degree.
Ref: COV ITRM Guideline http://www.vita.virginia.gov/docs/psg/ITSecurityPolicy90-1R3.doc
Technical Communications (Both to Staff and to Users)- Technologies and/or
services should be implemented to communicate technical information and notifications
regarding the status of security events and safeguards to all members of the
Community.
Ref: COV ITRM Guideline http://www.vita.virginia.gov/docs/psg/ITSecurityPolicy90-1R3.doc
Authentication and Authorization:
Authentication of Users- Authentication via “Best
Practice” technology
should be required of all users in the community. Authentication should be
required at User logon to client computers and any other Point of Access to
data and/or services provided by the School of Architecture.
Ref: COV ITRM Guideline http://www.vita.virginia.gov/docs/psg/ITSecurityPolicy90-1R3.doc
Password Protection of Account Access- Password-protected logon to both network
services and individual client computers should be required at all times.
Passwords should comply with current best possible security practices. All
passwords
and accounts will be unique and personal to a human individual, not generic
or shared, as in group accounts. All accounts will be received through either
ITC of the Computer Technologies Office of the School of Architecture.
Passwords and other sensitive account information should never be given out,
written down, distributed, or in any other way disseminated to any parties,
either within or outside of the Community.
Access to Wired and Wireless Networks- Access to the School’s networks
via either a physical Ethernet connection or a wireless connection should be
limited to those users which have submitted their computer’s MAC address
to ITC and to the School of Architecture.
Data Security:
Password Protected Screen Savers- Screen savers should be enabled on
client computers which activate after a maximum of ten (10) minutes of
user inactivity.
The subsequent deactivation of these screen savers should be password protected.
Ref: COV ITRM Guideline http://www.vita.virginia.gov/docs/psg/ITSecurityPolicy90-1R3.doc
Controlled Network Authorization- Access to the School of Architecture’s
network from computers outside the network should be protected via firewall,
IPSec, TCP wrapper, VPN, and/or associated security technologies.
Sensitive Data Authorization and Access- Sensitive data should have a higher
level of authorization in order to access it. That is, in addition to password
control and/or authentication for access to the file system, additional (further)
password and authentication should be implemented to protect sensitive data.
Current examples of this technology are password protection of individual
Excel spreadsheets or “grant tables” in a database context.
Access to sensitive data will be given only to those with direct need for
such access.
Computer (Machine) Security:
Up-to-date Antivirus and System Security Software- Individual computers
on the School’s networks should be updated with the most current
version of antivirus and/or security software, which should include,
but not be limited
to, virus definitions, operating system updates, and the like.
Systems Interoperability Security:
Transmission of Data- Unencrypted Telnet, FTP, or R-Utilities should
not be used. Secure alternatives, such as SSH or SFTP should be used
instead.
E-mail
of sensitive information as clear text should never be performed, as this
method is insecure. In those cases where e-mail is required, such electronic
transmissions
must be encrypted via a standard technology such as PGP.
Ref: COV ITRM Guideline http://www.vita.virginia.gov/docs/psg/ITSecurityPolicy90-1R3.doc
Transmission of Data- Internal- Data transferred across the School’s
network should use the best possible practice for security.
Physical Security:
Controlled Access to Important Systems- Servers, routers, and other hardware
which is critical to the School’s operation of its networks should
be physically secured in spaces to which access can be controlled through
the
use of keys or keypads. When third parties need access to these systems or
hardware (such as for maintenance), they should be accompanied by an authorized
member of the technical staff.
Ref: COV ITRM Guideline http://www.vita.virginia.gov/docs/psg/ITSecurityPolicy90-1R3.doc
Documentation of System Configurations for Critical Hardware- In order to
make possible tampering easier to recognize and correct, the physical setup
of critical
hardware should be documented. That is, cable connections, drive locations,
and other physical characteristics of the setup of servers, routers, network
equipment, etc. should be recorded and/or catalogued.
Ref: COV ITRM Guideline http://www.vita.virginia.gov/docs/psg/ITSecurityPolicy90-1R3.doc
Theft Prevention Measures for Public Hardware- Computers, scanners, printers,
and other pieces of computing hardware which are in public spaces should
be secured physically through the use of security cables, padlocks, and the
like.
Staff/Faculty Access to Personal Computers- Faculty and staff should follow
the best possible security practices to prevent unauthorized access to computers
which they use at their desks. This includes, but should not be limited to,
password protected screen savers, locking offices when unoccupied, and limiting
or preventing access to faculty/staff computers by students serving as teaching
and/or research assistants.
Monitor Visibility- On computers in which especially sensitive information
(such as Social Security Numbers), is stored and/or displayed, the monitors
and/or displays of those computers should be physically arranged in such
a way that the screen of the monitor or display cannot be seen by anyone
other
than those persons which are authorized to view the sensitive information.
Ref: HIPAA http://www.hhs.gov/ocr/hipaa
Threat Detection:
Intrusion Detection Mechanisms- Detection of attempts to illicitly gain
access to the School’s networks should occur on both sides of the School’s
firewall. Best possible practices include, but should not be limited to,
external threat detection by ITC, and internal detection of threats through
the use
of virus detection software, audit tracking, audit logs, and Web service
logs.
Ref: COV ITRM Guideline http://www.vita.virginia.gov/docs/psg/ITSecurityPolicy90-1R3.doc
Termination-Related Security:
Account Access for Users Who Leave the Community- When students graduate
from the School of Architecture, and in cases in which faculty or staff resign,
retire, are terminated, or in any other way leave the Community, account
access
to the School’s network, physical hardware, and all other computing
technology for that person should be terminated.
In the case of students, a grace period of 60 should days should be extended
past graduation to ensure removal of data and other electronic materials
from the School’s networks and hardware. All faculty and staff should
lose access privileges immediately upon leaving the Community, unless arranged
for
separately and on an individual basis.
Personal Data on School-Owned Hardware- Any and all personal or academic
data which is kept on office and/or portable computers should be removed
by its
owner prior to leaving the Community. Data which is sensitive or proprietary
to the School shall not be taken with the employee upon termination, retirement,
or resignation.
The School of Architecture will, upon repossession of the hardware, reformat,
delete, or otherwise make inaccessible all data and/or software which belonged
to the User. The School is not responsible for copying, backing up, or in
any other way safeguarding the data on the computer after its repossession.
|